Not as securely or cheaply: using 1Password this way either requires less secure TOTP codes (which are easily phished) or a separate token.

Having this available to every Apple user on the web is huge, especially when you look at the network benefits of the Apple feature pushing all of the slackers (hi, every large financial company!) to implement secure MFA.

How are TOTP codes more phishable? Seems like the same phishability to me

If https://fake-bank.example/ persuades you it is your real bank you can just type your TOTP code into it, and now the crooks operating it have a valid TOTP code. Nothing stops you doing this, it relies on you to know it's the wrong site to protect yourself and that's not reliable.

Machinery to take that TOTP code and immediately plug it into the real bank (since it's time sensitive) exists already.

In contrast WebAuthn credentials are tied to the domain name of the site. Your iPhone doesn't have any credentials for https://fake-bank.example/ so it won't sign you in, and even if it did have credentials for fake-bank.example they'd be completely useless on the https://real-bank.example/ web site. There is no way to give real-bank credentials to fake-bank, it just can't work because the cryptographic material used is tied to the domain name.

Google deployed an earlier iteration of this same technology and reported zero phishing for accounts protected this way because it isn't possible to see how to phish it without some grave security bug somewhere. This is the penicillin of web user security, it's a night-and-day difference over what we had before.

Apple users will get this natively without having to acquire 1Password. If you’ve bought into the Apple ecosystem and don’t have needs outside of it (Windows, Linux), you can eliminate the need for a separate password manager. Similar to how iCloud Files is moving towards (but likely won’t meet, while not needing to) Dropbox parity.

This is making a friendly version of Yubikeys (using Apple devices) and password vaults for Apple users.

For interested readers: 1Password does a few more things. For example, you can add 2FA to 1Password logins, so that 1Password replaces Google Authenticator with the immense advantage that you don’t have to setup 2FA again if you get a new device.

Just a happy 1Password user, nut related to them in any way.

I use LastPass for passwords and Authy for 2FA. I like the idea that two different programs have to be attacked to get access to Google, Facebook, etc. There's a little bit more friction than having both in one program but that's the point.

Is it really 2FA if your password and your token are on the same device?

One could argue that authenticating via 1Password is already multi factor in itself e.g. Master Password is Something You Know as the first factor and access to a 1Password Vault is Something You Have as a second factor (since you cannot login to 1Password with just username and password, but also requires a Secret Key that can only be acquired from a device that already logged in).

In this case TOTP acts more like an insecure one-time session key.

Yes. 2FA protects, among other things, against compromised passwords. Having both on the same device does not reduce this protection.

Thanks I didn’t know this.

I'm more of a fan of buy-in without lock-in.

You feel that way because it's ethically corrupt behaviour on the part of Apple. They are aggressively pushing out others.

I would rather have a native UX versus Bitwarden, especially if there’s no additional cost (I have to pay for Bitwarden annually or spend time running a server) and an easy way to share creds with my partner (for delegation in the event of my passing).

Competition and a free market has perils. May the best solution win.

You can use Bitwarden for free while using their servers.